Help prevent spoofing and spam with SPF

Protect against spoofing & phishing, and help prevent messages from being marked as spam

Google Workspace uses 3 email standards to help prevent spoofing and phishing of your organization’s Gmail. These standards also help ensure your outgoing messages aren’t marked as spam. We recommend Workspace administrators always set up these email standards for Gmail: 

  • SPF: Specifies the servers and domains that are authorized to send email on behalf of your organization.
  • DKIM: Adds a digital signature to every outgoing message, which lets receiving servers verify the message actually came from your organization.
  • DMARC: Lets you tell receiving servers what to do with outgoing messages from your organization that don’t pass SPF or DKIM.
Learn more about how standard email authentication helps keep your organization’s email safe.

SPF is a standard email authentication method. SPF helps protect your domain against spoofing, and helps prevent your outgoing messages from being marked as spam by receiving servers. SPF specifies the mail servers that are allowed to send email for your domain. Receiving mail servers use SPF to verify that incoming messages that appear to come from your domain were sent by servers authorized by you.

Without SPF, messages sent from your organization or domain are more likely to be marked as spam by receiving mail servers.

Get started

Go to the steps for setting up SPF.

If you send email with Google Workspace only, get your SPF record in Define your SPF record—Basic setup.

Email authentication for Gmail

In addition to SPF, we recommend that you set up DKIM and DMARC. These authentication methods provide more security for your domain, and help ensure messages from your domain are delivered as expected. For more information on DKIM and DMARC, go to Help prevent spoofing, phishing, and spam.

Video: Why set up email authentication?

Why set up email Authentication?

Email authentication helps prevent messages your organization sends from being flagged as spam.

Video: What are SPF and DKIM

What are SPF and DKIM?

SPF and DKIM help prevent spammers from impersonating your organization.

How SPF protects against spoofing and spam

Helps prevent spoofing

Spammers can forge your domain or organization to send fake messages that appear to come from your organization. This is called spoofing. Spoofed messages can be used for malicious purposes. For example spoofed messages can spread false information, send harmful software, or trick people into giving out sensitive information. SPF lets receiving servers verify that mail that appears to come from your domain is authentic, and not forged or spoofed. 

To further protect against spoofing and other malicious email activity, we recommend you also set up DKIM and DMARC.

Helps deliver messages to recipients' inboxes

SPF helps prevent messages from your domain from being delivered to spam. If your domain doesn’t use SPF, receiving mail servers can’t verify that messages that appear to be from your domain actually are from you.

Without SPF, receiving servers might send your valid messages to recipients' spam folders, or might reject valid messages.

What you need to do


"Before you begin SPF"

Before you set up SPF

  • Get the sign-in information for your domain provider
  • Understand IP addresses
  • Understand DNS TXT records
  • (Optional) Check for an existing SPF record
  • Identify all your email senders

For details, go to Before you set up SPF.


"SPF record basic"

Define your SPF recordBasic

Tip: This article is for people who don't have experience setting up SPF or email servers.

  • SPF record you can copy, for sending email with Google Workspace only
  • SPF record examples, for sending email with Google Workspace and your other email senders

For details, go to Define your SPF record—Basic setup.


"SPF record advanced"

Define your SPF record—Advanced

Tip: This article is for IT professionals and people who have experience setting up email servers.

  • SPF record format and requirements
  • SPF record mechanisms
  • SPF record qualifiers

For details, go to Define your SPF record—Advanced setup.


"SPF record"

Add your SPF record at your domain provider

  • Add your SPF record to your domain
  • Add an SPF record for a subdomain
  • Update your SPF record for new senders

For details, go to Add your SPF record at your domain provider.


"Turn of SPF"

Troubleshoot SPF issues

  • Verify your SPF record
  • Verify messages pass SPF authentication
  • Make sure your SPF record includes all email senders
  • Review your email sending practices
  • Advanced troubleshooting

For details, go to Troubleshoot SPF issues.


Related topics

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false